EPISODE 6: Justine Bone

In this episode Lucas interviews Justine Bone, a ballet dancer turned spy who became the first CISO of Bloomberg. Justine's experience as a founder of multiple cybersecurity companies also comes to the forefront, offering a rare insight into the industry's dynamic landscape.

Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.

Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.

Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.

PODCAST TRANSCRIPT

Lucas Nelson (00:01.489)

Welcome to Cyber Thoughts, the podcast where we explore InfoSec through leaders in the field. Today is my great pleasure to welcome Justine Bone, the Chief Product Officer at Redjack. Justine has had just an amazing career. I've known her for years. We've been in the same circles. She's been at places like Dow Jones. She's been a multiple-time founder, maybe a spy? I don't know. I've known Justine for a long time, but I've never really gotten the full story. So I'm really excited to have Justine on the podcast.

Justine, hello.

Justine Bone (00:32.854)

Hey, Lucas thanks very much for having me.

Lucas Nelson (00:35.645)

Pleasure is mine. So I did some LinkedIn searching on you. And I noticed that you started out in the Royal Ballet, where we all start our InfoSec career. Tell me about how to go from ballerina to cybersecurity guru.

Justine Bone (00:53.799)

Yeah, well I remember the day very specifically actually. It was in a town in Switzerland and I'd spent another day auditioning with yet another ballet company and at the time, and perhaps still to this day, very ambitious, wanted to be the best, right, very determined to make it to the front of that stage on the other side of the world. And I had a bit of a moment of reckoning where I realized quite what the competitive landscape looked like.

You know, when you're from a small country down under with sort of one ballet school and one company, then you go to, you know, really the birthplace of that art, Europe, and you come to appreciate the level of community commitment to that kind of an art form for so many people, so many families whose children will start training very, very young. It's a really intense landscape. So I came to this sort of realization that, you know what, even if I can make this work.

The chances of me ending up, you know, like 30 years old and two broken hips and not much to show for it are fairly high. So I thought, you know what, I'm gonna retrain. I'm gonna completely, I'm gonna reinvent myself. I'm gonna go back to what I used to do in school and I'm gonna retrain and I'm gonna study mathematics and I'm gonna be this really great mathematician. And so I flew all the way back to my home country and I signed up at university and I got started and then very quickly realized mathematics at university is extremely difficult. Then I discovered computer science. And relatively, you know, so just a bit more practical, a bit more hands on, right? Although that was challenging for all sorts of reasons. And then, you know, fast forward a year or two when I sort of faced the decision where I needed to specialize, I weighed up a couple of options. One was this whole sort of information security path.

Lucas Nelson (02:25.308)

Oh, the easy way out.

Justine Bone (02:46.518)

There were no classes in information security at my university, but I realized that there were directions I might be able to go into to specialize in that direction or artificial intelligence. So my university specialized in artificial intelligence. And I was like, which one do I do? And I ended up concluding that AI would keep me in academia maybe forever. Because this was during something that we call the AI winter now. This is pre-cloud, pre, you know.

The resources that we have now and the advancements that have happened with regards to AI. Or this whole information security thing looks really interesting, it looks really fun, definitely going to be a problem, right? So the chances of me being able to save up some cash and make a real go of it were higher. And so I intentionally chose to go in that direction and then started thinking about employment opportunities from there.

Lucas Nelson (03:41.961)

Cool, so if memory serves, you started as kind of a hardcore analyst. You were X-Force. So how did that start? And then how did you make the jump to light speed as a CISO, which is a very different job, right? 

Justine Bone (03:57.962)

Yeah, for real. Well, we will talk more about that because back then you could argue that it wasn't so different. But okay, so first things first, that whole spy thing. New Zealand, the late 90s, there was really very little private sector opportunity in information security, as we called it then.

In fact, there was none. There's basically none. Maybe there was that one job that I'd never heard of, but the banks weren't hiring. Everything was just non-existent. So government service was really the only way to get into the industry. So I joined New Zealand's Government Communications Security Bureau, which as a member of the Five Eyes intelligence community, presented several opportunities to me. And my timing was fortunate in that New Zealand had just recently been invited to start participating in the more active computer network operations, what we would call offense side of things. So my timing was perfect, and my skills that developed were perfect in my opinion, on the offensive side of things. So I got to learn all the cool fun hacking stuff, right? I could reverse engineering and vulnerability research and exploit development. So that was just the nature of the timing of my entrance into the industry.

And those skills obviously transferred with me as I moved from government service into the private sector, which was the time that I immigrated to the United States. So lucky enough to land one of those H1B work visas and convince the company called ISS that I had the hacking skills that would bring value to the table. And that was also fortunate timing because it was very early 2000s.

Within the private sector, very low awareness of things like zero days and exploits and web application problems. Meanwhile, everybody's standing up their new front end, right? Their new online retail or their new banking website or what have you. Hacking was easy back then. I mean, everybody looked at it like it was this magical, highly skilled thing, but you put the right SQL query together after an apostrophe at the end of a URL and boom, you've downloaded a database. So, you're not going to be able to do that.

Justine Bone (06:13.674)

I spent a few years, you know, obviously trying to keep my skills polished, but keeping that sort of offensive, those roots that I had from earlier in my career, but bringing that into the private sector when there were very few people with that kind of a skill set. And this was early days, you know, penetration testing has raised an eyebrow. Why would you want to do that? You know, isn't that illegal? Why would you wanna hire a bunch of hackers? That was the way that folks thought back then. 

You know, I guess the long story short is throughout my career, I've kind of been at that tipping edge of where industry is at. And that led into security leadership when nobody knew what security leadership was. And we kind of got to write our own job description to a certain extent. So I'd come from this like super hands on hardcore hacking background. And I brought that into my leadership strategy. You know.

Bloomberg at the time, because that was how I prioritized understanding exposure and risk, the first thing I did was build this amazing world-class hacking team. And we banged away at that Bloomberg terminal till it couldn't be broken anymore. So I brought that philosophy all the way into security leadership, even back in those early days, because there was no playbook for CISOs back then. Most organizations still didn't even have a CISO.

They might have had a head of network security or something like that, but certainly as well on the application side of things, it was all kind of just a new playing field. So I was an ambitious person. I put forward some proposals related to security leadership, and I was luckily given the opportunity to deliver on those responsibilities. What we could consider now to be a very early reflection of what sort of made my background a bit unique and the maturity or perhaps immaturity of the industry at that time as well. So, you know, now we understand a CISOs not a technically first, you know, technically oriented responsibility and this is all about risk articulation and you know, understanding the business. But back then that was not best practice. That was not how our executives thought of information insecurity, it was considered a technical problem. Go away, tell me when you're done. Breach is not going to happen, right? That was the way people thought about it. So a very different time.

Lucas Nelson (08:48.661)

So I have to give two pieces of background for folks. ISS was an early internet security systems company that had X-Force. Because if you know about X-Force today, it's IBM X-Force. Back then it was ISS. So IBM bought that and then rebranded it, I don't know, a decade later. So that's one. What was the other thing I had? Oh.

So when you were at Bloomberg hiring that world-class team of hackers, all my friends went to work for Bloomberg at that point in time. So it was a fun time. Like, ah, very, very cool. OK, so why don't we, we know how you got into cybersecurity. I'm going to let it be dealer's choice. Do you want to talk about what you're doing today first, or do you want to talk about your startups first? You went and did a couple startups, and those are really interesting to me.

Justine Bone (09:21.93)

Is that right? Yeah.

Lucas Nelson (09:45.146)

So maybe chronologically that makes sense, but I also feel like, you know. Okay.

Justine Bone (09:46.842)

Yeah, let's just do that. Let's just stick with that and then we can lead to what I'm working on today. That'll make sense, I think.

Lucas Nelson (09:54.065)

Cool. So you've done more than one startup. What made you decide to leave the corporate world and make the hard choice to do it for yourself? And why are you mentally brain damaged? I guess it's a real question, right?

Justine Bone (10:15.539)

Yeah, for real. Certainly a roller coaster, isn't it? So during my time at Dow Jones, where I was head of information security and infrastructure, we had leadership, senior leadership that gave a lot of opportunity and encouragement to sort of the entrepreneurs who didn't maybe potentially realize they were entrepreneurs within the organization. In other words, a lot of creativity was encouraged.

Lucas Nelson (10:19.826)

Yeah

Justine Bone (10:43.97)

A lot of agile thinking was encouraged. It was a very safe environment where you could put forward ideas and sometimes those ideas might get traction. So during that time, whilst taking care of enterprise security, I started thinking a lot about product and in this case at Dow Jones, what our strengths were leveraging my background in security. And I put a few ideas forward as MVP, you know, prototype product ideas potentially. And I got some traction with that. And I, that was when I sort of first tasted what it's like to come out of the back office, you know, sit in front of the customer and start thinking about what, what it would be like to build real security solutions, leveraging the resources that I had. So that gave me a taste. And once I had a taste.

Frankly, going back to the back office to manage the day-to-day security operations became much less appealing to me. I wanted to solve business problems. So following Dow Jones, that was really my segue into the entrepreneurial community and the time where I really started focusing on and committing myself to developing solutions in the security space as opposed to the sort of enterprise security management background that most CISOs are focused on. So that led me through a couple of companies that might've been ahead of their time to Health Care and MedSec, which is a company that focuses on medical device risk management, which is another whole school of thought in and of itself. Health Care is a really unique environment.

Lucas Nelson (12:33.789)

So I want to talk about the general stuff about starting a company, but let's do healthcare first because there are a few parts of cybersecurity that really feel different than the rest. And the med-tech world to me is one of them, right? Like the protocols are different, the people are different, all the ecosystem is different. Whereas most places, a CISO looks like a CISO looks like a CISO.

I think there's a couple different environments in med sec is one where like, no, that job feels different. So can you, you know, it starts out with, hey Lucas, you're completely wrong. It's the same as everybody else. That's not gonna be the case. So like, how is it different and how do you get involved in?

Justine Bone (13:14.282)

Yeah, well, how I got involved in this was because of that background kind of in hacking and vulnerability research, and there was not a lot of publicly disclosed research around medical device security at that time. So that was very interesting to me. And then when I realized that the environment within which these devices live and operate and deliver solutions considers risk in such a different way to, you know, financial sector or, you know, retail or media and entertainment, like where I had come from. So once I realized, well, there's not only the sort of implications of the technical vulnerabilities, but the way that risk is managed in the field is completely different. That was kind of what really hooked me on healthcare. And of course, what we're talking about are things like patient safety, which seem like a no-brainer when you just say it, but actually changes the way that risk is managed completely within an organization where things like availability become the number one priority, potentially overriding other best practices like patching and vulnerability management where the risk of side effects on infrastructure are too great to follow best practice in security. So a number of workarounds have to be developed. 

So that was what really got me leaning in. And then when you look at the ecosystem of stakeholders within healthcare who engage and think about medical device security, it's a vast ecosystem ranging from policymakers and regulators through to the very powerful medical device manufacturing community where you've got all spectrum of organizations.

Through to the place where these devices end up within healthcare delivery organizations or hospitals, and now clinics, and now the home, and all the diversity of equipment that goes into that. So a really diverse set of stakeholders as well. So it's a very complex problem, and we could probably talk for the rest of the hour, honestly, about healthcare security and medical device risk management. But it was all that complexity that really got me hooked into that problem for a while.

Lucas Nelson (15:32.841)

So what year did you start MedSec?

Justine Bone (15:35.286)

That was about 2016, I think. Yeah.

Lucas Nelson (15:40.489)

So what was the biggest surprise you found? Because you've been to CISO, you've done other startups. What was the biggest surprise about the medical security world that is just different than kind of InfoSec, as we normally know it?

Justine Bone (15:54.718)

Yeah. And you know what, this is kind of embarrassing, but it took me a while to figure this out. Within a hospital, most of the time, medical device security is not owned by the CISO is not owned by the information security team. So the day-to-day management and the day-to-day risk management of medical device infrastructure usually sits in a whole different department within a healthcare delivery organization called clinical engineering. And the struggle there is that clinical engineering usually reports into a completely different part of the organization to your IT and your information security teams. So what you'll often find, and this is changing, yay, but what you'll often find historically is that although you might have a CISO within a hospital who's well aware of the risks associated with the medical device infrastructure. It's not a part of their mandate to address those risks and to manage those risks. It sits in this other part of the organization where these biomedical engineers are the only ones who have been certified to touch these machines. And that will often report to the chief medical officer of the hospital. So whether you're sitting inside of a hospital on a security team trying to address the problem, or whether you're bringing a solution in from the outside, such as MedZec,

It can be a real challenge to just get an audience with the right folks because, well, by the way, these clinical engineers and these bio-med teams are stretched really, really thin. So getting even a piece of their time is a huge challenge. And you know, it's the same can be said for a security team too, by the way, but the security team usually aware of the problem. It's just getting a hold and managing that problem sometimes out of reach. So that took me about three years to figure that out. 

Lucas Nelson (17:59.785)

That's crazy. So yes, that's something I did not know. 

Justine Bone (18:03.358)

Yeah, yeah. A lot of people, a lot of people who go into healthcare, are not aware of this. And it's now that I advise a few companies, it's something that I try to get on the table really early on, frankly, no matter what the organization is, who the organization is that you're targeting, but we make these assumptions sometimes about security teams and what they are and are not responsible for and the reality can turn out to be quite different.

Lucas Nelson (18:30.205)

So you've done the startup thing a couple different times. Let's use the MedSec, the most recent one, as kind of the way of, what did you do differently that time? What was the learnings from the earlier ones that you used and were like, yep, that was something, I'm glad I learned that on the prior round, so I didn't have to learn it again this time.

Justine Bone (18:56.458)

You know, I went into my eyes a little bit more eyes wide open with MedSec with regards to the real distinction between what it is to deliver a product and what it is to deliver a service. And so many of us technologists think that there's this perfect alignment between the two. And of course, you know, my product should come with these complementary services. And of course, I should be improving, you know, my services by developing tools. And of course, there's this interconnection between the two.

But what I learned to appreciate is that the way that you grow a company typically will be optimized for one or the other. So my early day strategy with Medset was to focus on the development of that product, of that solution, with services as a complimentary function. And it was not an easy journey, but it's definitely a difference round two that I was a lot more cognizant of than earlier in my career where I just hadn't had the experience to appreciate that.

Lucas Nelson (20:02.089)

Cool. So why don't we use that product idea of product and service to jump to what's the problem you're solving today with Redjab?

Justine Bone (20:11.702)

Yeah, well, okay. So thanks for asking. What we're the problem we're solving today is how is the need now to align very operational IT and security capabilities with key business initiatives. Fast forward from 10 years ago when you know, or even earlier, you know, security was considered this technical function and you know, go take care of it back office.

Obviously today, security awareness is so much more well understood at very senior levels within large companies. We've got board of directors now who are being asked to consider and address cybersecurity risk, but there's still a sort of a big disconnect between the boots on the ground, operational teams who are running the tools and who are, you know,playing whack-a-mole with vulnerabilities and the, you know, the board level conversation about risk. And it's a challenge, right? It's a challenge that we talk about. How do we articulate risk? How do we sort of bridge this gap, if you will, between what's going on within a company and company's initiatives and what's going on operationally. So Redjack is developing a technology that facilitates the mapping of those two things, leveraging a bunch of AI and data science to do so.

So we're attacking resilience, or we're addressing resilience, which is also kind of like an evolution in risk management where we understand things like breaches are inevitable. We wonder how resilient we are when it comes to that inevitability of that very bad day arriving, how quickly can we recover, that kind of thing. So that's kind of the resiliency approach now. How do we understand our resiliency and how do we tackle that, given all these priorities within our company. So rather than sit down and have a conversation about that for six months, we're developing a technology to facilitate the process of identifying what's important within a company and mapping that to infrastructure that tells us things like what's my asset inventory and what's my vulnerability landscape look like. So really connecting those dots.

Lucas Nelson (22:27.313)

So I know less about resiliency than I do about cybersecurity. Or they probably are intertwined heavily. But give me the low-hanging fruit use case for this.

Justine Bone (22:41.742)

So, well at Redject we often will come into a situation initiated at the board level where there is some effort to understand business continuity, if you will, capabilities related to business continuity, maybe in response to an incident occurring or maybe in anticipation that an incident might occur in the future.

So there's a methodology and this is a methodology that not many folks are aware of, but it's endorsed by, it's supported by CESA, Cybersecurity Infrastructure Security Agency. And it's called a resiliency review. So basically it's this process that starts at that senior level within an organization of identifying critical business functions within a company. So maybe it's your logistics or maybe it's your payroll or maybe it's your e-commerce or maybe it's a combination of all of these.

Identifying business functions, and then mapping that back to asset inventory and what you've actually got in order to understand what matters most. So it's this methodology that can be applied for a number of different reasons. It's also used by the way outside of traditional information security, things like digital transformation, cloud migration.

That type of a scenario where a company needs to understand where those critical dependencies are organizationally, and then how can that be mapped back to asset inventory, what's actually sitting on my network, which by the way is a fundamental sort of security 101 capability that most organizations still struggle with just because of the rate of adoption of technology like IoT and the proliferation of devices of all kinds.

Lucas Nelson (24:26.201)

Yeah, I mean, there's a there's a number of companies out there that unicorns that only exist to tell you what's on your neck.

Justine Bone (24:33.042)

What's on your network? I know it's ridiculous. Yeah, so basically mapping that to Business initiatives business functions as we call them. What are the most critical business functions within my organization? What asset inventory sits within that business function in a nutshell? That's that's basically the resiliency review process and that's what we're automating by our

Lucas Nelson (24:57.193)

Very cool. All right, so I want to go on to some more about how do you learn? So I always try to ask my guests, how do they take in information? What are their favorite resources to do so? But how do you learn? What's the best learning modality for you? Is it audio, video, reading? So let's start there, and then I'm gonna start asking them about what resources you like in InfoSec or even outside of InfoSec.

Justine Bone (25:26.466)

I'm a mother, so indulging in a stream of video or audio is like a luxury that is really in... I need to be ready to be interrupted at any one point in time. So I still call me old school, I still read. I can read quite long documents because I sort of know I can put a pause on that whenever I need to and split to something else and then come back to it. I find it more difficult to do that with video content. I still read, I mean, this is embarrassing. I still read newspapers.

And do you know why? Do you know why I read newspapers? Because it, and this is just a personal thing. The process of reading a newspaper exposes me to things I never thought I would otherwise have focused on. You know, with all these recommendations engines, I get sick of what's recommended to me. I don't want to read what you think. I wanna think about 24-7. So I like the process of print layout because it puts other content in front of me that I would never normally have looked at. And that's to a certain extent, one way that I learn. I miss Twitter.

Lucas Nelson (26:31.709)

Have you tried Threads? 

Justine Bone (26:32.01)

Um, that's... what's that?

Lucas Nelson (26:42.746)

It's not bad. It's not Twitter yet. For the InfoSec world, you can hit, what is it, blue sky, and that's pretty good.

Justine Bone (26:52.298)

Yeah, yeah. I haven't yet invested the time to set up a new sort of group that I follow on any other platform. And I spent years curating the group that I follow on Twitter, lesson learned, right? So, still there, but people have sort of moved on. And I don't trust that.

I'll be getting the content I need as much anymore on that platform, so I've kind of given up on it. So that used to be a go-to for me, and I had a wide spectrum of sources from that still that deep technical vulnerability research hacking community, which really embraced Twitter through to more of the management and strategy and risk side of the spectrum. So I kind of moved a lot of my, well, certain types of sourcing to LinkedIn.

Especially on the thought leadership side of things and risk and where we're going with things like risk quantification and risk governance and of course resilience, but it has left a gap for me on the more technical side of things.

Are we good with that background from my end? Okay. I am really proud actually to be associated with an organization called INES, which is, I forget actually what the acronym stands for, Institute for Advanced Network Security, something like that, IANS. And it's way more than network security, I think it was just legacy where the organization came from. There's a whole bunch of security practitioners.

Lucas Nelson (28:08.498)

It'll be fine.

Justine Bone (28:36.886)

Very experienced security practitioners that are involved with the IMS platform. And that's become a newer source of information for me. It's really my peers in an industry who each have their own specialization of some kind. And I find that very helpful as well. And then to be quite frank with you, there's just the good old fashioned networks, right? Like reaching out to, to and, and building new networks based on content that I might find on.

Twitter or elsewhere. So for me, a lot of the problems that I work on are new to market. The math around resiliency, for example, I'm spending a lot of time thinking about quantifying risk and shifts in trends around quantifying risk and how does that map to the math and the metrics behind measuring resiliency. There's not a whole lot out there right now. So to a certain extent, I also learn from folks from other backgrounds, data scientists. For example, right now, which is a big focus for me, learning about how we might mature capabilities around measuring resiliency.

Lucas Nelson (29:43.261)

Nice. I have seen Irons. I always thought it was Ions. I was like, oh dear.

Justine Bone (29:48.786)

I mean, it's a funny thing to pronounce. And I would say Ian, right? Ian, but most folks say Irons, so I follow their lead.

Lucas Nelson (29:51.718)

Yeah.

Lucas Nelson (29:56.217)

Okay, I've definitely seen their letterhead. I just, I've never been to one of their events, so I didn't know I was saying it wrong until now.

Justine Bone (30:02.206)

It's a really interesting bunch of people because a lot of the folks involved are, like I said, extremely experienced. They've been working in information security as long as I have. But a lot of those folks have chosen to stay practitioners. So they will now be expert in identity and access management or zero trust solutions or, you know, other. Parts of our ecosystem that warrant.

That much focus and being a senior expert in that field. And I find that really useful because it's very hard for somebody to be an expert across the broad spectrum of cybersecurity today. It's just far too complex.

Lucas Nelson (30:45.649)

It has become one of those things where you really need to specialize if you're going to go deep. All right, so Speed Round. What's your favorite book?

Justine Bone (30:50.07)

Right, right, exactly.

Justine Bone (31:00.33)

Well, the professional book that comes to mind, hang on, let me just pull up the name of it, is regarding cyber risk quantification. And for a while, I thought this book is going to change my life. It's called How to Measure Anything in Cybersecurity Risk. Okay, did it change your life? Okay, well, okay, so you haven't read it yet. Okay, it might change your life. It gives one a lot of hope that finally we can start articulating risk in the boardroom.

Lucas Nelson (31:15.394)

I've never cracked it open. It's on my list.

Justine Bone (31:32.571)

The authors, Richard Siason, so he actually spoke at the Black Hat CSO Summit and I was incredibly impressed with his presentation. That's one of the projects that I also work on. I sit on the CSO Summit review board and he came in and spoke about measuring cybersecurity risk in just such an articulate way that compelled me to do more research. So that's a really great book. It puts most risk into the frame of financial loss scenario, which translates very nicely into the boardroom, as well as into other areas like insurance. So it's leveraging a lot of process used by actuaries and others who come from that kind of background within risk. And it's applied to cyber security. I won't say it's a one size fits all scenario completely, for example, healthcare, where financial loss is not so much of a concern sometimes as an impact to safety, patient safety.

So not always financial loss is the right thing to focus on, but I'm sure that some others out there would argue that 99% of the time it is. And it certainly helps us bridge that gap, like we just discussed earlier, between a conversation about risk in the boardroom versus a conversation about risk in the SOC, the Security Operations Center, yeah.

Lucas Nelson (32:52.521)

And then last, anything you want to plug.

Justine Bone (32:57.21)

You know, well, thank you. I think I will just with regards to Red Jack, we've talked about what reject us, but I would just like to add that the I have been so impressed with my colleagues at Red Jack. This company pivoted during Covid to be a remote first company and the level of collaboration and respect and the deep embedding of culture within a remote first company. I honestly didn't really think this was achievable. And I've just been so impressed with what the founding team achieved during that process. So it can be done, remote first can be done. I know that for sure now. Whereas maybe I had still a sort of a question mark in my head, I think coming out of COVID about what's best, what's the best model. So I'm a believer.

Lucas Nelson (33:50.929)

All right, so I'm gonna double click on that. I know it says lightning round, but that's too interesting to let go. What are some of the things they do that have worked? Because you're newer to it. You didn't start with it. So how do they get you into the culture? What's working? How did that happen?

Justine Bone (34:01.627)

Right.

Justine Bone (34:08.318)

Um, so I mentioned collaboration. Um, co-creation is one of the core values of the company co-creation. And that is highlighted when it is achieved and it's highlighted if it's not achieved. So if something comes out that perhaps a single, you know, expert or contributor had worked on, um, for some time and perhaps not invited.

Co-creation, that's addressed, that's discussed. That's like, why didn't this happen? And so there's a little bit of that sort of transparency culture to this as well. When things go great, great. When things, when we think we could have done a better job of aligning with our core values like co-creation, let's talk about that too. So that's, I think an example of something that really just enforces that co-creation and then by extension that collaboration that is happening digitally in a remote first day-to-day routine. And it shows in the results too, when you're leveraging the input of many different diverse sets of experience and backgrounds. Is that a useful example? Yeah.

Lucas Nelson (35:19.229)

That's super awesome. Next time we sit down, we'll just talk about remote-first work. Well, thank you so much for joining me. This was great. Candidly, I had to learn a whole bunch of stuff about your background I didn't know, and I had a blast. So thank you so much.

Justine Bone (35:25.439)

Okay.

Justine Bone (35:35.486)

Thanks for having me. Maybe we'll flip the tables next time and I'll interview you. I'd like to know more about your background. Thanks a lot for having me.

Lucas Nelson (35:43.121)

Can't wait. That'll be fun. Thank you.